Two Factor Authentication, part 1

Today’s #TipTuesday is a topic that likely needs multiple posts to handle it properly. In fact, as I write this, it’s already long before I even get into examples and “how to” on common sites so this will be a mini-series in my #TipTuesday series (a series within a series?!). Long story short: with all of the data breaches and hacks out there, the best thing you can do to protect your logins is to turn on Two Factor Authentication (2FA). There are multiple names for this and multiple acronyms most of which generally have the same or similar meanings. (The other most common term you might hear is MFA (multi-factor authentication).)

What is it?

I would hope most people have at least heard of this before but in case you haven’t, it’s a “secondary” authentication method for logging in to some site whether that is your email account online or Facebook or Twitter or any website that requires a login and password.

The secondary factor part is typically inputting some verification code via another device. The theory is it’s authenticating that you are who you say you are via something you know (your password) + something you have (another device). Theoretically that will reduce the risk of someone hacking into your account because they might find or guess your password, but they won’t likely have your device with them. It’s not foolproof but enabling it makes hacking your account a lot harder.

Not every website offers this feature, but it’s getting to the point where most major ones do offer at least one method of 2FA/MFA. The most basic option most sites offer is a text-based verification code. Detractors will try to tell you this is a horrible system, but honestly, it’s better than nothing at all. The odds of someone hacking your password, particularly if you are not using a password manager, is relatively high. The odds of the same person also having your cell phone? Probably not as high.

If you work in an Accounting department and have a token system for your corporate banking logins, this is a perfect example of a 2FA system. Most personal websites don’t use external tokens like that exactly, but many offer similar options via apps on your phone.

Where to enable it

Anywhere you can! Seriously, if a site offers a 2FA/MFA option, I turn it on.

Banking sites, if they offer it, are a no brainer.

Email accounts FOR SURE. Think about every password reset feature ever: they send a reset link to your email account. Protect your email accounts with as much security as you can – long random passwords and 2FA or MFA if they offer it.

The other group of things where I am especially cautious are social media sites one can use as a login method to another unrelated website. Many sites allow you to “sign up” for them using your social media accounts. That means you want to protect your social media accounts from unauthorized logins too.

Personally, I will never use a social media account to log into another site. I use a password manager religiously (a topic for another day), I use random passwords for every site I can, and I don’t re-use the same password on any one site. If a site gets hacked, I’d be pretty confident that my login + password combination cannot be used on any other site. Can I still get hacked? Sure I can, but I’m making it harder for whoever does by using random passwords and 2FA/MFA where I can.

If you’re going to use a social media account as the login for another unrelated site, make sure that social media account has some kind of 2FA/MFA on it. Facebook just got hacked and if you were part of that hack, that would mean they could also access any of those other sites with the same credentials. Of course Facebook also recently was in the news because if you use 2FA on their site, they’re selling that information to advertisers. I’d still have 2FA enabled.

If a site doesn’t have the option for MFA/2FA, but has any kind of “login alert” option, enable that, which at least would alert you to a recent login you may or may not have made yourself. It’s slightly better than nothing.

How does it work?

Typically, once you enable a 2FA/MFA option on a website, the next time you log into that website, after you enter your login and password, you’ll be prompted to enter a code or validate your identity via some app on your phone. Most sites have a “remember me for X days” type of option so that you don’t have to do this every day.

Code-based authentication have different methods of delivery but the end result usually is a 6 digit or 8 digit numeric code you type into the site as your 2FA method. Delivery is often via SMS/text message but also could be via an app on your phone. During setup on the website that offers 2FA/MFA, you will “configure” your account with an app or with a phone number and then after that they are linked (so to speak). On login, the website login process triggers an authentication request that is pushed to your app or phone to respond. Most times you have a limited amount of time to respond, 30 seconds to 5 minutes before the code “expires” if you don’t type it in right away (this varies by site).

I currently have 4 “authentication” apps on my phone because we use 1 app at work, many Microsoft sites use its own Microsoft Authenticator app, my password manager has its own app and I use a third party one for sites where I have a choice of app. In the end, all of them do the same basic thing. If I had a choice, I would use 1 app but it doesn’t always work out that way. Some of the sites require me to type in a code from my authentication app or text message, and some simply need me to approve via a pop up message from the app itself on my phone. Either way, it delays logging into a site by a handful of seconds at most.

Backup Codes

On certain sites, when you set up 2FA/MFA, you may also get a set of “backup codes”. This may be called something different on different sites, but essentially these are codes to use if you lose your 2FA/MFA device or can’t get access to your device for some reason. The theory behind backup codes is if you are somewhere without your phone, or without cellular access perhaps (in the case of SMS if you’re travelling for instance), or you lose your phone and have to prove you are who you say you are, any of the backup codes would work as the verification method to get you logged into your website.

The hardest part for me is where to keep those. If you’re reading this, add a comment on where you save yours. Do you print them physically? I tend to store mine in a Dropbox/OneDrive type of account but I’m working under the very big assumption that if I lose my phone, I will have access to that in a pinch (and THAT account isn’t the website I’m trying to authenticate into at the moment). That’s a risk. On some high profile accounts, I may copy some of those backup codes to other places on my phone or tablet that don’t require a login – like a Notes app. I’ve got over a dozen sets of backup/recovery codes stored by site name in case I need them. I’ve yet to have to use them.

Sounds complicated!

Yes, it does, and it can be a pain in the a** for a little while until you get used to it. I recommend trying 2FA/MFA on one thing first to get the hang of it, like the email account you use most often for logging into websites. If you use multiple devices (say a computer, cell phone and iPad or tablet), you will feel like you’re going insane the first time you switch an account over to 2FA because you’ll likely have to authenticate again for all the places where you log in. Once you get used to it, it becomes normal.

There are little irritations from using it, like you’ll learn to never charge your phone in another room when you sit down at your computer to do some surfing. 🙂

In all seriousness though, I can’t imagine not using any 2FA/MFA on my key sites. In my next #TipTuesday post (one or more, to be determined!), I’ll start to walk through how to set up 2FA/MFA on some common sites and services like Office 365, Gmail, LinkedIn, Facebook, Twitter etc.